Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges.
In this webinar Learn how open source security vulnerabilities are found, how to address any open source security concerns within your organization and understand the difference between securing your open source components and your proprietary code.
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
The first quarter of 2016 was a big one for new open source security vulnerabilities. The Glibc vulnerability was by far the biggest. It impacts nearly 900K of the 1 million different open source projects. In this webinar, we’ll dive into Glibc and the Q1 data to help you:
- Understand latest trends in open source security threats and what it means to your organization in 2016
- Simple steps to quickly find and protect yourself from newly reported threats
- Prepare your organization to respond to new vulnerabilities in open source projects
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...WhiteSource
The best approaches and practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising on security.
Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges.
In this webinar Learn how open source security vulnerabilities are found, how to address any open source security concerns within your organization and understand the difference between securing your open source components and your proprietary code.
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
The first quarter of 2016 was a big one for new open source security vulnerabilities. The Glibc vulnerability was by far the biggest. It impacts nearly 900K of the 1 million different open source projects. In this webinar, we’ll dive into Glibc and the Q1 data to help you:
- Understand latest trends in open source security threats and what it means to your organization in 2016
- Simple steps to quickly find and protect yourself from newly reported threats
- Prepare your organization to respond to new vulnerabilities in open source projects
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...WhiteSource
The best approaches and practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising on security.
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
Tsaela Pinto, Director of Knowledge R&D at WhiteSource, spoke at the Azure DevOps meetup in Tel Aviv about how develpers should part in maintaining open source security
Accelerating Innovation with Software Supply Chain ManagementSonatype
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
As presented via webinar.
The Open Source 360 survey is in its 11th year and surveyed over 800 IT professionals about their use of open source components and technologies. In prior years, this survey was known as the Future Of Open Source.
Key takeaways include:
- Open Source usage is growing within global organizations
- Organizations recognize risks of consumption exist
- Tooling to keep pace with risks is limited
- Contributions to project communities are key to success
2015 saw continued growth for open source software across many dimensions, a trend expected to continue in this coming year and a range of interesting developments that we reviewed in the last webinar.
In this webinar, the panelists will discuss:
- Open source and application security
- Community-centered compliance as reflected in OpenChain and SPDX
- The explosion of company involvement in collaborative projects
- The direction of the VMware case and other topics we anticipate being hot this year
Register now to join Black Duck, Mark Radcliffe and Karen Copenhaver on to discuss the hot topics generating buzz in the year to come.
Modern software projects cannot exist without open source software (OSS). It allows software projects to have rapid growth, credibility, and trust of their users. However, the wide adoption of OSS also brings huge security risks. Improper maintenance of OSS components may result in serious and costly security breaches, like the Equifax case, when the company lost 100K credit card profiles. In this talk, we will have an overview of the current problems regarding the management of third-party components of software projects, the ways how to address them, and I will also present you our methodology for identification of possible security issues coming from OSS dependencies. The methodology demonstrated its sustainability being used by SAP, a large international software development company.
The State of Open Source Vulnerabilities ManagementSBWebinars
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time to for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
the current state of open source vulnerabilities management;
organizations' struggle to handle open source vulnerabilities; and
the key strategy for effective vulnerability management.
The State of Open Source Vulnerabilities ManagementWhiteSource
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101FINOS
Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges. Over the past few years, we have seen a variety of open source vulnerabilities wreak havoc across the web (Heartbleed, Shellshock, and POODLE) which woke organizations up to the risks that come along with the convenience of using open source components.
Join our session to:
Learn how open source security vulnerabilities are found
Learn how to address any open source security concerns within your organization
Understand the difference between securing your open source components and your proprietary code
Learn how to automatically detect vulnerable open source components and prioritize security alerts
Taking Open Source Security to the Next LevelSBWebinars
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
In the world of DevSecOps as you may predict we have three teams working together. Development, the Security team and Operations.
The “Sec” of DevSecOps introduces changes into the following:
• Engineering
• Operations
• Data Science
• Compliance
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Black Duck by Synopsys
Seldom a month goes by where the NVD entries don’t break 1,000, and March 2017 is no exception. The vulnerability of the week is CVE-2017-2636, a serious security flaw in Linux kernel that appears to have been around since 2009. More on that story follows.
In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CI/CD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CI/CD pipeline.
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
Tsaela Pinto, Director of Knowledge R&D at WhiteSource, spoke at the Azure DevOps meetup in Tel Aviv about how develpers should part in maintaining open source security
Accelerating Innovation with Software Supply Chain ManagementSonatype
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
As presented via webinar.
The Open Source 360 survey is in its 11th year and surveyed over 800 IT professionals about their use of open source components and technologies. In prior years, this survey was known as the Future Of Open Source.
Key takeaways include:
- Open Source usage is growing within global organizations
- Organizations recognize risks of consumption exist
- Tooling to keep pace with risks is limited
- Contributions to project communities are key to success
2015 saw continued growth for open source software across many dimensions, a trend expected to continue in this coming year and a range of interesting developments that we reviewed in the last webinar.
In this webinar, the panelists will discuss:
- Open source and application security
- Community-centered compliance as reflected in OpenChain and SPDX
- The explosion of company involvement in collaborative projects
- The direction of the VMware case and other topics we anticipate being hot this year
Register now to join Black Duck, Mark Radcliffe and Karen Copenhaver on to discuss the hot topics generating buzz in the year to come.
Modern software projects cannot exist without open source software (OSS). It allows software projects to have rapid growth, credibility, and trust of their users. However, the wide adoption of OSS also brings huge security risks. Improper maintenance of OSS components may result in serious and costly security breaches, like the Equifax case, when the company lost 100K credit card profiles. In this talk, we will have an overview of the current problems regarding the management of third-party components of software projects, the ways how to address them, and I will also present you our methodology for identification of possible security issues coming from OSS dependencies. The methodology demonstrated its sustainability being used by SAP, a large international software development company.
The State of Open Source Vulnerabilities ManagementSBWebinars
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time to for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
the current state of open source vulnerabilities management;
organizations' struggle to handle open source vulnerabilities; and
the key strategy for effective vulnerability management.
The State of Open Source Vulnerabilities ManagementWhiteSource
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101FINOS
Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges. Over the past few years, we have seen a variety of open source vulnerabilities wreak havoc across the web (Heartbleed, Shellshock, and POODLE) which woke organizations up to the risks that come along with the convenience of using open source components.
Join our session to:
Learn how open source security vulnerabilities are found
Learn how to address any open source security concerns within your organization
Understand the difference between securing your open source components and your proprietary code
Learn how to automatically detect vulnerable open source components and prioritize security alerts
Taking Open Source Security to the Next LevelSBWebinars
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
In the world of DevSecOps as you may predict we have three teams working together. Development, the Security team and Operations.
The “Sec” of DevSecOps introduces changes into the following:
• Engineering
• Operations
• Data Science
• Compliance
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...Black Duck by Synopsys
Seldom a month goes by where the NVD entries don’t break 1,000, and March 2017 is no exception. The vulnerability of the week is CVE-2017-2636, a serious security flaw in Linux kernel that appears to have been around since 2009. More on that story follows.
In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CI/CD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CI/CD pipeline.
Why Aren't You Using Sitecore Analytics?Hero Digital
Sitecore Symposium 2017 Presentation by Kristine Stebbins, Hero Digital, Managing Director
Sitecore Analytics is extremely powerful, but oftentimes marketers simply aren’t aware of the power of the system and what is available to them. Kristine Stebbins uses her own research data to clear up misconceptions about Analytics and gives tips on how to get the most out of it now.
Why Aren't You Using Sitecore Analytics?Hero Digital
Sitecore Analytics is extremely powerful, but oftentimes marketers simply aren’t aware of the power of the system and what is available to them. Here, Kristine Stebbins uses her own research data to clear up misconceptions about Analytics and gives tips on how to get the most out of it now.
Help Me, Help You: Supporting Your DataData Con LA
Data Con LA 2020
Description
Understand the data product lifecycle and ensure your data is set up for success
In order to get the most out of your data team, understanding the infrastructure needs at every step of the data product lifecycle is imperative. In my presentation we'll cover: - Collect the Right Data: Collect what you want in the future not where you are now - Silo to Warehouse: Consolidating disparate data sources and establish source of truth - Setting Your Team Up for Success: Development Platform and DataOps - Don't Forget to A.I.M. - Thinking about product adoption, implementation, and monitoring - So What? - Tracking impact and making the case for more data
Speaker
Kisa Brostrom, boodleAI, Vice President of Data
Join experts from LinkedIn for an interactive session as we walk you through the best ways to use key features, and get the answers you need to become a more effective and efficient user.
Check out weekly product tips: LNKD.IN/product-tips
You’ve just learned about technology options for your nonprofit, and you think, “Great, I’m so excited to get started! But wait—how can we start implementing within our current resources?” Engaging pro bono volunteers might be the right way to go!
Engaging pro bono volunteers for your technology needs will not only allow you to create new ways to deliver on your mission, but it will help broaden your volunteer options as well (in a way that many, many corporate volunteer programs are looking for!).
This session will take you through the entire process of finding just the right volunteer or group of volunteers, including:
How to create an effective job description and project timeline geared toward technology volunteers
Best practices in recruiting pro bono volunteers with specialized skill sets
How to market your new volunteer roles
How to scale your program to accommodate companies seeking pro bono opportunities for their employees
How to align your staff or volunteer structure to support pro bono volunteers
CraftConf16 "Empathy: The Hidden Ingredient of Good Software Development?"Daniel Bryant
When I ask fellow developers what they think about empathy, the answer is often “not much”. However, I believe that the skill of empathy, being able to place yourself in another’s position, is crucial to designing, building and operating software at any scale. Join me for a whistle stop tour of the benefits of empathy, which I have learned from working on a wide variety of software projects over the previous ten years. I will share stories of success and failure, and suggest practical techniques that you can harness in order to help your team develop empathy.
When gathering requirements and performing business analysis, it is obvious that the ability to experience from within another user/customer/being's frame of reference is a valuable skill, but the same can be said when writing code. If we follow Martin Fowler’s train of thought where “any fool can write code that a computer can understand. Good programmers write code that humans can understand” we can see that empathy is at the heart of this skill. We could also argue that the rise of “DevOps” is simply both sides of the traditional divide trying to understand each other better. Developing the skill of empathy isn’t necessarily easy, but in this talk I will share my learnings, techniques and tricks for developing more effective software.
microXchg 2017: "Microservices: The People and Organisational Impact"Daniel Bryant
Microservices are where it's at. Everything is easier to manage when it's micro, right? Micro code bases (less than 10 LOC), micro containers (less than 10Mb), and micro teams (less than one person???). 'Micro' things may appear to be easier to manage, but there is always a macro context, and working with people and teams is no exception. This talk presents some of the challenges the OpenCredo team have seen when implementing microservices within a range of organisations, and we'll suggest tricks and techniques to help you manage your 'micro' teams and the 'macro' level.
Topics covered include: empathy - because understanding others is at the heart of everything you do; leadership - advice on creating shared understanding, conveying strategy, and developing your team; organisational structure - from Zappos' holocracy to MegaOrg's strict hierarchy, from Spotify's squads, chapters and guilds, to BigCorp's command and control. There is a management style for everybody; and more
Embedded User Assistance: Third Rail or Third Way?Steven Jong
It’s challenging to provide technical documentation in an environment where people say “nobody reads the manual” (or even “nobody looks at the help”) and instead demand “intuitive interfaces.” Smartphones are now the most common web browser, and we face an audience with little patience for reading; we feel squeezed out of existence. But there’s an opportunity for us to go from a supporting, or even superfluous, role to center stage: by providing embedded user assistance.
Steve describes and gives examples of embedded assistance, shows how it’s being used today, discuses the challenges of working close to or even inside the code, and relates the effects of participating throughout the design process (as in an Agile environment) as well as working with UX designers (or becoming one yourself).
Presentation given at STC New England InterChange Conference, 2 April 2016, Lowell, Massachusetts USA.
These are the slides from Scholastica's 2017 ISMTE conference presentation on how to perform an operational audit at your journal. We cover how to set effective journal performance goals, key metrics to track, and the tools and strategies your editorial team will need to start tracking journal performance on a regular basis. Conducting regular operational audits is a great way for journal teams to refine their workflows and internal documentation, which can prove especially useful when onboarding new editors.
Measure what matters for your agile projectMunish Malik
While working with Agile projects, we simply can't get away from tracking and showcasing the progress of the project. A typical Agile project would be working with estimates, story points, velocities, burn-up or burn-down charts.
I have witnessed numerous sprint reviews and showcases where the business is only waiting to see those few slides of the presentation where there is the "actual" red worm, running against the "planned" green worm, trying to catch-up. If the red worm is ahead, I have seen a smile on the faces of the stakeholders. If it matches the green one, there is a sigh of relief. And as a development team you should just pray that the poor red guy is not falling behind the green one, lest it might lead to a lot of questions starting with why, how, what etc.
There have also been times where there have been some unfortunate heated discussions that last forever on why did the team end up not claiming a few points that they had committed. What gets lost is what the team accomplished in the sprint that adds good value to the product. There have also been times where the estimates are being questioned by the product owner or account managers. If you are working in a distributed setup where the product owner is working out of a different country, the problem is even bigger.
Let us think about a scenario where the project gets completed on time, budget and scope. Majority (or all) of estimates were correct. However, when the product went live to the market it failed big time. What is the use of building such a product?
Are we focusing too much on numbers and points and overlooking the other important aspects of Agile software development such as producing software that delights the customers and looking for ways on how we can measure that? Are we measuring if we are creating a solid, robust and a scalable platform that is ready for future developments and enhancements? Are we measuring the outcomes of the time we are spending in the shoes of the people who will actually use the software?
The objective of this presentation is to promote the thinking of measuring what matters for your project. To measure the goals that your software development wants to achieve. I don't plan to showcase an exhaustive list of measurements that can solve all your problems, however, I instead want to highlight some samples that I have used in my projects with the help of my team, that helped us to measure things that add value to the business and development v/S simply creating burn down charts.
Majorly, I want to encourage thinking out of the box to identify what measurements will really matter for your projects. Perhaps from the eyes of the users and business and see what things if measured will add a lot more value than simply estimates, and will help in creating a valuable product that will truly delight the business and the users of the product.
This content is from a recent webinar we held which was an interactive session on the best ways to use key features of LinkedIn, and get the answers you need to become a more effective and efficient user.
Topics covered:
Focus on active candidates - get active candidate search techniques, InMail strategies that work, and tips on how to best pipeline talent for 2016.
Enhanced Jobs Page - understand how personal insights for job seekers will drive more qualified candidates for your open positions.
Discover the right tools for your Project Management Office (PMO)Hussain Bandukwala
No matter what the domain, having the right tools at our disposal can make a significant difference.
In relevance to the PMO, it dictates the shift in our focus from management to administration.
Project/Program Managers often find themselves scrambling around to collect pertinent and accurate information to update their statuses, while Resource Managers may have to connect with several people to determine if they efficiently staffed their resources and have sufficient bench to staff upcoming initiatives.
These are some of the reasons to compel PMOs to surround themselves with the right tools. But what are the right tools? How did we end up with the not-so-right-tools? Why are the right tools so important?
Learn all this (and more) in "Discover the right tools for your Project Management Office (PMO)"
Similar to Mentors View: Aligning Your Team and Your Powers for Success (20)
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
30+ Nexus Integrations to Accelerate DevOpsSonatype
No single tool can deliver on the promise of DevOps. Instead it’s a collection of tools, easily integrated, tightly managed, and effectively automated. Learn how Nexus integrates with more DevOps tools you use everyday.
Starting and Scaling DevOps In the EnterpriseSonatype
Gary Gruver, Gruver Consulting
In my role, I get to meet lots of different companies, and I realized quickly that DevOps means different things to different people. They all want to do “DevOps” because of all the benefits they are hearing about, but they are not sure exactly what DevOps is, where to start, or how to drive improvements over time. They are hearing a lot of different great ideas about DevOps, but they struggle to get every-one to agree on a common definition and what changes they should make. It is like five blind men describing an elephant. In large orga-nizations, this lack of alignment on DevOps improvements impedes progress and leads to a lack of focus.
This session is intended to help structure and align those improvements by providing a framework that large organizations and their executives can use to understand the DevOps principles in the context of their current development processes and to gain alignment across the organization for success-ful implem
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
Mandy Whaley, CISCO
Microservices create an explosion of internal and external APIs. These APIs need great docs. Many organizations end up with a jungle of wiki pages, swagger docs and api consoles, and maybe just a few secret documents trapped in chat room somewhere… Keeping docs updated and in sync with code can be a challenge.
We’ve been working on a project at Cisco DevNet to help solve this problem for engineering teams across Cisco. The goal is to create a forward looking developer and API doc publishing pipeline that:
Has a developer friendly editing flow
Accepts many API spec formats (Swagger, RAML, etc)
Supports long form documentation in markdown
Is CI/CD pipeline friendly so that code and docs stay in sync
Flexible enough to be used by a wide scope of teams and technologies
We have many interesting lessons learned about tooling and how to solve documentation challenges for internal and external facing APIs. We have found that solving this doc publishing flow is a key component of a building modern infrastructure. This is most definitely a culture + tech + ops + dev story, we look forward to sharing with the DevOps Days community.
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
In today’s world, a company must be a “Learning Organization” in order to be successful and innovative. Learning from both failure and success, in order to implement small incremental improvements is critical. But until you implement and apply new information, you haven’t truly “learned” anything and you certainly haven’t improved.
According to the 2015 Monitoring Survey, most companies leverage metrics from monitoring and logging purely for performance analytics and trending. If high availability and reliability are important, they also leverage metrics to alert on fault and anomaly detection. Despite these “best practices”, the metrics are primarily only used as context to keep things “running” or return them back to “normal” if there’s a problem. Rarely is that data used as a method to identify areas of improvement once services have been restored. When an outage occurs to your system, you will absolutely repair and restore services as best you know how, but are you paying attention to the data from the recovery efforts? What were operators seeing during diagnosis and remediation? What were their actions? What was going on with everyone, including conversations? A step-by-step replay of exactly what took place during that outage.
This “old-view” perspective on the purpose of monitoring, logging, and alerting leaves the full value of metrics unrealized. It fails to address what’s important to the overall business objective and it lacks any hope of seeking out innovation or disruption of the status quo.
This talk will illustrate how to identify if your company is making the best use of metrics and ways to not only learn from failure, but to become a “Learning Company”.
DevOps and All the Continuouses w/ Helen BealSonatype
DevOps promises to make better software faster and more safely and many organizations begin by practicing Continuous Integration and moving on to Continuous Delivery and sometimes even extending as far as Continuous Deployment - but this is only the tip of the iceberg.
DevOps demands a fundamental shift in the way we work and requires all participants in an organization to live its principles. It’s much more than a tool chain.
When you are delivering software in an Agile manner in fortnightly sprints, are you still funding in an annual manner? Are you adhering to The Third Way? I.e. are you practicing Continuous Experimentation? Continuous Learning? How are you doing Continuous Testing? Are you including security in that? Have you have Continuous Improvement in your organization for years? When does Continuous Everything turn into Continuous Apathy?
A Small Association's Journey to DevOps w/ Edward RuizSonatype
Small and medium-size businesses are under the same pressure to innovate-at-speed as large corporations. They face these challenges with shoestring IT budgets and limited staff who are stretched thin and forced to wear multiple hats. These limits are particularly acute in the world of nonprofit associations. But with the right vision and culture, even small teams can successfully implement a DevOps philosophy and bust the barriers to high-speed IT innovation.
In this presentation, I will recount our small membership association’s transformative journey to DevOps and share the lessons we learned along the way. I will offer first-hand experiences and practical ideas on how to cultivate a collaborative team culture to realize faster deployment cycles while improving build quality and delighting customers with great software.
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
Operational data mining gives us a rich source of data for the third devops way - continual learning by experimentation. It also shows us just how damaging those 90 day password resets can be. This talk will look at what can go wrong, and the renewed fight to fix the problem at the root.
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
Lee Calcote, Solar Winds
Running a few containers? No problem. Running hundreds or thousands? Enter the container orchestrator. Let’s take a look at the characteristics of the four most popular container orchestrators and what makes them alike, yet unique.
Swarm
Nomad
Kubernetes
Mesos+Marathon
We’ll take a structured looked at these container orchestrators, contrasting them across these categories:
Genesis & Purpose
Support & Momentum
Host & Service Discovery
Scheduling
Modularity & Extensibility
Updates & Maintenance
Health Monitoring
Networking & Load-Balancing
High Availability & Scale
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
Justin Collins, Brakeman Security
It is not enough to have fast, automated code deployment. We also need some level of assurance the code being deployed is stable and secure. Static analysis tools that operate on source code can be an efficient and reliable method for ensuring properties about the code - such as meeting basic security requirements. Automated static analysis security tools help prevent vulnerabilities from ever reaching production, while avoiding slow, fallible manual code reviews.
This talk will cover the benefits of static analysis and strategies for integrating tools with the development workflow.
Automated Infrastructure Security: Monitoring using FOSSSonatype
Madhu Akula, Automation Ninja
We can see attacks happening in real time using a dashboard. By collecting logs from various sources we will monitor & analyse. Using data gleaned from the logs, we can apply defensive rules against the attackers. We will use AWS for managing and securing the infrastructure discussed in our talk.
For most network engineers who monitor the perimeter for malicious content, it is very important to respond to an imminent threat originating from outside the boundaries of their network. Having to crunch through all the logs that the various devices (firewalls, routers, security appliances etc.) spit out, correlating that data and in real time making the right choices can prove to be a nightmare. Even with the solutions already available in the market.
As I have experienced this myself, as part of the Internal DevOps and Incident Response Teams, in several cases, I would want to create a space for interested folks to design, build, customise and deploy their very own FOSS based centralised visual attack monitoring dashboard. This setup would be able to perform real time analysis using the trusted ELK stack and visually denote what popular attack hotspots exist on a network.
Akash Mahajan, Appsecco
Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible.
Who is this talk for?
This talks and demo is relevant and useful for any practitioner of DevSecOps.
It introduces the concepts of declarative security
Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner
Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’
Gives a clear roadmap on how to find the best practices for security hardening
Covers how continuous monitoring can be applied for security
Technical Requirements
While 30 minutes short for letting attendees do hands-on, the following will be required
- A modern Linux distribution with Python and Ansible installed
- Basic idea of running commands on the Linux command line
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
Erlend Oftedal, Blank
Immutable infrastructure and serverless architectures have very interesting security properties. This talk will give an introduction to immutable infrastructure and serverless architecture and try to highlight some of the properties of such architectures. Next we will look at the positive effects this can have on the security of our systems, but also highlight some of the negative aspects and potential problems.
At the conclusion of this sessions, we hope to have shed some light on the positive and negative security effects of such architectures.
Getting out of the Job Jungle with JenkinsSonatype
Damien Corabouef, Multipharma, Clear2Pay
Implementing a CI/CD solution based on Jenkins has become very easy. Dealing with multiple feature, staging and release branches? Not so much. Having to handle that for multiple teams and multiple projects becomes a real challenge. This presentation shows a solution to scale to several thousands of jobs, used by dozens of different development and test teams, 24 hours a day, 7 days a week, on a worldwide schedule.
I will talk about the challenges that we’ve met, and how we’ve put in place a scalable and on-demand solution, secure and simple to use.
This is a real-life, real-scale story of making CI/CD a day-to-day reality by allowing development and test teams to consider automation as a simple and customisable service.
Nathen Harvey, Chef
Automation at scale is the foundation of every successful high velocity organization.
Automation requires dynamic infrastructure that is managed as code. Modern infrastructure code means bringing the lessons from software development to your infrastructure. Automation is managed in version control systems, tests drive code development, code moves through a continuous pipeline from the workstation to the production environment. What will this look like in five years? We will see a continued improvement in the way teams work together toward common goals, build more operable applications, and embrace complexity while improving ease-of-use.
Continuous Everyone: Engaging People Across the Continuous PipelineSonatype
Jayne Groll, DevOps Institute
Culture is undoubtedly one of the most critical aspects of any DevOps initiative. While much emphasis is placed on the automation of the deployment pipeline, there is also a need for a “Continuous People Pipeline”. Continuous People Pipelines help individuals and teams recognize their contribution to the value stream, provide realistic approaches and milestones for ongoing communication and collaboration and can be the basis for shared accountabilities and meaningful metrics. Most importantly, people pipelines help increase trust, flow, feedback and connection across IT silos.
This session will provide insight on the value, creation and support of Continuous People Pipelines. It will help attendees understand some of the human dynamics of change that must be considered – cultural debt, adoption models, acceptance curves, collaboration, immersion and conflict management. At the end of this session, leaders will take away some innovative strategic and tactical ideas for overcoming silo constraints and creating a collaborative culture that excites, engages and unifies people towards common business goals.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
A tale of scale & speed: How the US Navy is enabling software delivery from l...
Mentors View: Aligning Your Team and Your Powers for Success
1. Mentor’s View: Aligning your team and your
powers for success
Chris Carlucci
Customer Success Engineer
Sonatype
2. Agenda
2 4/28/2016
• Getting Started on Your Journey
• Open Source Policy Guidelines
• Policy Results in Eclipse & Jenkins
• Meaningful Success Metrics
3. Getting started on your journey
3 4/28/2016
• Rugged DevOps, Software Supply Chain, Now What?
• The Hero’s Journey
• Align Your Heroes
• Building Bridges
• Setting Expectations
5. Different Stakeholders, Different Priorities
5 4/28/2016
Where’s that
release?
Done! On to
the next sprint.
Now, where
are we in that
process?
6. 6 4/28/2016
Building A Better Bridge Between Dev, Ops & Sec
• Tooling needs to adopt the practice of the practitioner
• A tool is not a process and a process is not a tool;
learn to leverage both
7. Two Philosophies
• Support & guide
• Objective information across
the lifecycle
• Each performs the task they
are good at
• Faster component selection
and issue resolution
• Bridges the developer
“compliance” gap
7 4/28/2016
• Scan & scold
• Reactive information late
in the lifecycle
• Creates rework and slows
remediation
• Hinders technology innovation
• More expensive
8. 8 4/28/2016
Communicate Expectations
Determine lifecycle enforcement strategy:
Allows developers time to research & fix or to request waivers
Everything is documented on an internal WIKI
Development CI Build
Promotion to staging or
release
21. It’s Not Always What You Measure…
21 4/28/2016
http://ronjeffries.com/articles/016-03/you-want/
22. …It’s the Behavior that Results
22 4/28/2016
Manager: “Nathan, this isn’t fair. You’re just showing the number of stories,
not how big they are.”
Nathan: “That’s right.”
Manager: “But that’s not fair!”
Nathan: [silent]
Manager: “All I’d have to do would be to divide up my stories into little bits
and release those every month.”
Nathan: [silent, smiling]
Manager: “Oh.”
• Soon, the manager was doing small stories, to the benefit of everyone.
http://ronjeffries.com/articles/016-03/you-want/
23. Success Metrics
23 4/28/2016
• Short Term – Time to Value
• “By the end of the workshop, we configured ~80% of our policies.
Just six business days after training, we have made the test
environment available in our organization”
• Long Term – Quality Metrics
• MTTR
• WIP
• New violations delivered to production
25. Wrap Up
25 4/28/2016
• Manage your Software Supply Chain
• Collaborate with counterparts – BA/PM/Dev/QA/Ops/Sec.
• Discuss mutual interdependence and shared objectives
• Automated Real-Time Feedback is a win-win
• http://bit.ly/app-check
26. We’re here, engaged &
READY
TO HELP
26
Nexus Newsletter Nexus Live – Google Hangouts Cool Things in 2 Minutes
Customer Success Team
Training On-Site or OnlineOnline Knowledge BaseNexus Community Pages
Books Online
27.
28. Chicago, IL
April 27, 2016
Mentor’s View: Aligning your team and your
powers for success
Chris Carlucci, Customer Success Engineer, Sonatype
Editor's Notes
Introduction
Name
CSE - Work with organizations to build better component practices such that they can improve their software supply chain management
Today, I am going to..
=================
In general, there are 2 main requirements when deploying software and this is especially true with component management
Tooling - Non-negotiable, like any other practice, developers can’t succeed unless equipped with the right tools. The major keys with tooling include:
Integrate where developers work, not the other way around
Needs to operate at the pace of development or it becomes a bottleneck
Process - The process you put in place allows you to enable that tooling to developers (Eg education), set clear expectations (Eg What is required of me?) and at the end of the day monitor and track usage / progress
So, when I walk into an organization. The first goal is understanding where we are starting from:
What is the culture?
Education?
Tooling – What are we transitioning from?
Current processes – Have developers had to adhere to prior checks within the SDLC
Initial success metrics. What does first value mean to you? Small/quick wins
BOM
Remediation
Enforcement
Bring in the right people
Subject matter experts
Organizational support – change of technology, process requires top down executive support. Ability to mandate usage?
Enterprise success metrics. Provide examples
Education
How do developers get integrated
How do they get educated
What can they reference for assistance
Who can they contact when encountering an issue
Track – At the end of the day, someone needs to provide approval – What do they need to see?
When bringing multiple groups together, we must understand and accept that they have different priorities. Establishing this and the interactions between them is key
---------------------------------------------
People
How many are developers?
How many are managers?
How many work in operations, tool chain?
Governance?
OSS
How many people are familiar with the concept of dependencies?
What languages? Java, npm, NuGet?
Tooling
How many here use a repository manager?
Process
How many have a manual review process for component approvals?
How many go straight to the internet for components?
How many have application checks at release time?
Successful tooling integrates where the developers are performing their work – IDE, CI, Repository Manager
Tooling / Technology is not the sole answer – Process must be established around it to set expectations, train developers and track progress to continually make improvements
All parties on the same playing field of information
Empower developers to make better choices
Initiate constructive conversations
------------------
https://www.linkedin.com/pulse/agile-transformation-what-went-wrong-pradeep-bindra
Implement Agile in an Agile way. When leading organizations through the transformation from traditional software development to Agile, it is a great idea to start small. Identify only a few pilot teams that are ready to volunteer and are enthusiastic. This will not only help to focus on early, small successes in adapting Agile to the organization but it will also increase trust and help identify the barriers (organizational and personal) to fostering greater change. Starting small will help to quickly surface the delivery of business value, reduce risk, and prepare people to move the organization to greater levels of agility.
You as the project team have the responsibility to ensure the tooling is generating valid issues
Developers should remediate, not validate
Lack of clarity leads to frustration, bottlenecks and lack of trust in the tooling
----------------------------
A developer’s options or path forward should be as obvious as possible
What are the enforcement points?
What do I HAVE to fix to be able to release to product? Ex. Fix the red violations
Administration team should be easily accessible for questions
------------------
Limit the mandatory issues developers receive
Too many issues results in tool antipathy
A threat threshold should be defined
Threat threshold should be communicated clearly
Anyone who has ever used security or quality tooling..
Static Source Code
Not every issue can be critical –
Sensory overload
How do you know where to start?
Skepticism around the tool
Cost of doing business
This is more actionable
Threat level denotes priority - Drives developer actions
Advice: Fix the red
Tip: Especially where expectations didn’t exist before – devs cannot immediately comply – pandora’s box – time period for grandfathering violations, cannot fix everything on day one
This is the process that every organization goes through
Discovery – Understand how my org builds and releases software. - Big need
Inventory – I need to be able to identify all my applications and all the components within my applications. Do you know where they are? What they contain?
Policy – Once inventory is collected, I need to identify the things that I care about
Mitigation – Once you have identified the policy, you need to push this out to devs for mitigation
Enforcement – This may be necessary to eliminate high risk in production application. Recommendation is to warn early and fail late, but even still, take care with this decision
Question – What is the main purpose of a policy? Answer – To drive intended behavior
no smoking?
speed limit? – You are either following it or not – Yes or No
don’t run with scissors
password strength?
Point - Policies don’t have to be these big, complicated things, they should be simple and concise rule(s) for defining guidelines around open source component consumption
For Open Source Components, we generally see 4 main types of policy
Security
Legal
Architecture
Match State
How do we decide on the exact guidelines – subject matter experts
Policy characteristics
Precise
Contextual
Actionable
Continuous
Fast
Keep in mind
Each organization is at a different starting point
Different groups may sponsor the initiative, driving different directives
In general, we see
Most organizations begin with small goals, given the maturity of their open source supply chain
Most organizations start with Auditing to better understand the scope of the problem
Most organizations warn early, and fail late
As always, some organizations have a compelling event as to why they purchased Eg Find struts
Are you driving the intended behavior?
Are developers making better choices?
Is the software quality going up and productivity going up?
Application Health Check is an easy no-cost way to run a report and get real results so that you can have better visibility into all of the components that make up your application. Your app does not leave your network. A one-way fingerprint is generated from the components in your app and compared against Sonatype’s Data Services to identify a Bill of Materials.
Introduction
Name
CSE - Work with organizations to build better component practices such that they can improve their software supply chain management
Background – Static Source Code Analysis
Today, I am going to..